Secure and simple picture repo

This article is about how to access your pictures stored on your NAS in a easy and secure way. Getting there is not easy, I have therefore written this tutorial :)

Background

I take a lot of pictures using different capture sources. Sometimes I need to add missing GPS-coordindates and sometimes I correct them when they are off. It happens that I move all my pictures, from one NAS to anothher for example. To control all this I rely on version control, and a centralized one like SVN suits me well. I have Svnserve running on my Synology ds412+ NAS -serving me whenever and wherever I need the pictures. This is something I want to be done securely and easy.

What you will be able to do
Access your NAS repository securely using only a few keystrokes

Preconditions

• Svnserve installed on NAS (I'm using Synology ds412+, but if you have a Qnap you should get along quite well) with a repository for pictures
• some basic Linux skills 
• Vi editor skills
• Windows on client
• You will need the following tools
• TortoiseSVN
• Putty
• Pageant
• PuttyGen
• Slickrun
• Cygwin (with svn-package)
• KeePass (well, not mandatory)

Lets go!

Create user on NAS
I didn't want to use my NAS' admin account, so I created a new user, let's call it "picture-user". Do the following on your NAS

1. create  picture-user
2. make sure "User home service is enabled": control panel > User > User Home button > "Enable user home service". (We need this so that we can store the user's rsa keys).
3. make sure you can SSH with the created user. In Cygwin: ssh picture-user@nas-ip. If it is not working, enable it this way
1. ssh root@nas-ip
2. vi /etc/passwd
3. change from "/sbin/nologin" to "/bin/ash" for picture-user

Make sure Home Service is enabled in Synology DSM

Key authentication is on
Make sure you can use rsa keys for authentication on your NAS

1. ssh into NAS as root
2. vi  /etc/ssh/sshd_config
1. make sure "PubkeyAuthentication yes" and is not prepended with a # 
2. make sure "AuthorizedKeysFile .ssh/authorized_keys" and is not prepended with a # 
3. If you have made any changes and saved the file, restart sshd: /usr/syno/etc.defaults/rc.d/S95sshd.sh restart &

Create SSH keys for user

1. SSH in to the NAS with picture-user
2. (since you enabled home services you should be in picture-user's home directory. If not, make sure you are)
3. create SSH directory: mkdir .ssh
4. navigate: cd .ssh
5. create keys:
1.  ssh-keygen -t rsa
2. accept the file path suggested
3. enter a passphrase and save. If you want to KeePass to auto type it then create a new entry and in the "Auto-Type" tab write "Cygwin*" for the Target Window and "{Password}{ENTER}" for the Keystroke Sequence.
6. Verify that you have the following files in your picture-user's .ssh directory
   1. id_rsa (private key)
   2. id_rsa.pub (public key)
7. create the authorized_keys file: cat id_rsa.pub >> authorized_keys
8. Verify that 
1. picture-user is owner of .ssh folder and authorized_keys. Run the following when being in picture-user's home directory: ls -la
2. .ssh folder has permissions chmod 700
3. authorized_keys has permissions chmod 600
9. copy the private key to your Windows machine
10. verify that you can log in to NAS with the keys you have created: ssh picture-user@nas-ip -i <path_to_private_key>  (make sure Cygwin understands the path, no "c:\", use "/c/" instead). Enter the passphrase when the Cygwin asks you (or autotype it using KeePass auto type: ctrl+alt+A).
11. repeat the step above, but access the repository from outside of you LAN. Make sure your router redirects calls for SSH (port 22) and svn (port 3690) If you have a dynamic ip, verify the SSH access together with a dynamic DNS service.

Create a Putty session
We need to create a session in Putty since TortoiseSVN's Repo-browser will be using it (automagically) when connection to the repository.

1. Under "Session"
1. Under "HostName...": write your static IP or dynamic DNS name
2. Under Port: write the port you are redirecting SSH calls in your router
2. Under "Connection" > Under "Data" > "Auto-login username": picture-user
3. Go back to "Session" and under "Saved sessions" write for example the same entry as for "Host Name". This session name will be used in the path in the Repo-browser.
4. Save!
5. Verify that the session is working by pressing "Open"-button. You should see "Authenticating with public key..." and a demand for a passphrase. Make sure you are able to connect after entering the passphrase.

(You do not need to put the private key under "SSH" > "Auth" > "Private key file for authentication" since we will be using Pageant instead).

The session will be stored in the registry at HKEY_CURRENT_USER > Software > Simon Tatham > Sessions.

Convert the private key to Putty lingo

We will be using TortoiseSVN togheter with Pageant to access the repository. For Pageant to accept our key we need to convert to Putty format.

1. Run PuttyGen
2. Press "Load", change file type from "Putty Private Key Files (*.ppk)" to "All files" (*.*)" and select the private key
3. Enter the pass-phrase for the private key (do you have the passphrase in KeePass?)
4. Change the value under "Key comment" to something more meaningful. Doing this will make you differentiate the keys in Pageant.
5. Press "Save private key", enter a name and save it

Pageant and passphrase

It is annoying to have to enter the passphrase each time you access your repository, so we let Pageant handle it. You will then only have to enter the passphrase once for each time you start Pageant.

1. Open Pageant and press "Add Key"
2. Select the private-ppk key and provide the passphrase. The key is now accessbile instantly without passphrase whenever TortoiseSVN (Putty) requests it.

If you log off and log in again in Windows the key will be forgotten by Pageant. To simplify this, you can create a shortcut to Pageant and in "Target" provide all the keys you want to be there when Pageant starts:

"<path_to_pageant>\pageant.exe <path_to_key_1>id_rsa.ppk <path_to_key_2>\id_rsa.ppk

Wrapping up

Lets wrap thins up and see how it works by using TortoiseSVN and SSH to access the repository

Open TortoiseSVN's Repo-browser and enter the path to your repository: svn+ssh://<dynamic_dns_name.com>/<repository_path>. If everything is working you should be see the repository in a securely fashion.

Let us simplify the opening of the Repo-browser by using SlickRun.

1. Run SlickRun and create a new "MagicWord"
1. Under "Filename or URL": write the path to TortoiseSVN's Repo-browser (c:\Program Files\TortoiseSVN\bin\TortoiseProc.exe)
2. Under "Parameters", write: /command:repobrowser /path:svn+ssh://<dynamic_dns_name.com>/<repository_path>

New MagicWord in SlickRun. (User name is optional if you have it set in Putty. Between @ and /, you use the the Putty session name).

When you're done, everything you need to do is to activate SlickRun by its shortcut and type a "p". Hit enter and TortoiseSVN's Repo-browser should appear.

Fast access to Repo-browser by typing magic words in SlickRun

If you do not want to use a Putty session name and prefer an IP then you need to configure TortoiseSVN if you are using a non standard SSH port. See picture below.

Specifying the non standard SSH port

Troubleshooting

Problem: "ash: svnserve: not found"
Solution: create a symlink as root "ln -s /opt/bin/svnserve /usr/bin/svnserve"

Summary
We started createing and configuring user on the NAS and we made it sure that the NAS would accept log in with keys. Then we created the keys and verified that we can use them. We created a Putty session to be used by TortoiseSVN's Repo-browser. We added the private key to Pageant and connected to our repo without entering a passphrase. Finally, we used SlickRun to simplify the access to the repository.

Yes, there is a lot configuration to do, but now you have a fast and secure access to your repository.

Please feel free to comment on improvements.

EDIT 1: added more accurate instructions.
EDIT 2: added comment for the SlickRun MagicWord image.
EDIT 3: added troubleshooting section.
EDIT 4 (april 29th, 2013): Added screenshot for non standard SSH port in TortoiseSVN